February 23, 2021

Enhance Vault Secrets Management with Puppet

Security & Compliance
How to & Use Cases

Security is paramount in today's digital world. Bad actors can use sensitive data to wreak havoc across thousands of machines in minutes if organizations do not have a solid cybersecurity strategy.

This blog post explores the importance of secrets management, and how Puppet and HashiCorp Vault adds an extra layer of protection as you continue to build out your cybersecurity strategy.

Back to top

What are Secrets?

Secrets are digital authentication credentials that include passwords, API tokens, encryption keys, certificates, and tokens stored across an IT environment.

Secrets management with DevOps tools is critical in securely retaining and tightly controlling access to secrets and sensitive data.

Compliance requirements and regulations are increasingly calling for key management and strong encryption as part of a business's cybersecurity strategy. These are no longer optional but mandatory security requirements as DevOps also gains in popularity for agile development and application deployment.

How to Get More from Your Existing Compliance Resources

Your IT ops team can chip in on compliance – and it doesn't have to be a burden. Watch a helpful webinar (or bookmark it for later) for tips and strategies for getting buy-in.


Securing sensitive data (called “secrets”) — such as passwords, machine credentials, and API keys — is not always simple to manage manually, especially at an enterprise scale. A common challenge is limited visibility across your infrastructure, and another is the struggle to tighten processes and tools to limit users' access to that sensitive data globally.

The question becomes: How do you get a grasp on enterprise secrets as you increase your automation efforts across your Infrastructure & Operations (I&O) teams? There has to be a way to centrally store, distribute, and track these vital configuration settings while gaining more flexibility, right?

Back to top

How to Retrieve Secrets with Automation

Below is an example of how your automation platform should leverage secrets from a secrets management tool. Agents should be allowed to retrieve secrets from your secrets management platform when a catalog is applied. In this way, the secret data is not embedded in the catalog, and the server never sees it.

In this manifest, call the vault_lookup::lookup function using the Deferred type.

$d = Deferred('vault_lookup::lookup', ["secret/test", 'https://vault.hostname:8200'])
node default {
     notify { example :
          message = > $d

The lookup function will be run on the agent and the value of $d will be resolved when the catalog is applied. This will make a call to https://vault.hostname:8200/v1/secret/test and wrap the result in strings marked as sensitive, which prevents the value from being visibly logged.

Back to top

What is Secrets Management?

Secrets management is a method for keeping secrets secure within your infrastructure and in transit across your network.

Secrets management is more than just adding a few controls around sensitive configuration properties. IT practitioners should be able to create policies controlling user access and authorization via Role-Based Access Control (RBAC).

If your I&O teams are currently using an automation platform and are comfortable with your DevOps and DevSecOps practices, further tightening your security controls is paramount. A recommendation is to integrate your existing automation platform with a secrets management tool. Improve your security posture with another vital mechanism that keeps a detailed log of all requests and responses, further simplifying your organization's compliance workflows and auditing processes.

Are you concerned about keeping your data encrypted as you scale your automation platform?

End-to-end encryption of your secret data provides another layer of protection. Secrets management, coupled with each host system's ability to look up only secrets to which it has access, simplifies the communication across your infrastructure. The central automation server will no longer be responsible for managing access to all the secrets data.

What about secrets sprawl?

Secrets sprawl is another challenge when managing passwords and credentials at scale across enterprise infrastructure. If those secrets are in plain text, then you have an even bigger problem. Most enterprise companies have hundreds or thousands of database, application, development, and production servers, all accumulating secrets data. Whether the data is stored in GitHub, Dropbox, or an internal repository, centrally managing all of your secrets information is critical to keeping sprawl under control.

Do you worry about secrets data stored in your public cloud infrastructures such as AWS, Azure, or GCP?

A solid secrets management plan should integrate with most cloud providers and their authentication methods. Be sure your automation platform follows these same authentications and integration protocols.

Now that you have a solid understanding of the importance of a secrets management strategy, let's bring it all together with Puppet Enterprise and HashiCorp Vault.

Back to top

What is Vault Secrets Management?

HashiCorp Vault is a service you can use to store and control access to secrets.

You can add an extra layer of security by integrating Vault with Puppet, allowing Puppet to safely retrieve and distribute secrets used in your automation workflows without storing or exposing the information. Integrating Puppet and Vault for secrets management can reduce secrets exposure and provide a high security level across your environments.

Puppet Can Help with Zero Trust, Too. Here's How.

Download "Achieving Zero Trust Security with Puppet Enterprise" to discover how Puppet works for a zero trust use case.

A cover of an eBook by Puppet. Text reads: Achieving zero trust security with Puppet Enterprise.



Some of the benefits of integrating Puppet Enterprise and HashiCorp Vault are:

  • Improve security posture and implement secure automation best practices.
  • Increase user control over secrets that affect nodes managed by Puppet.
  • Leverage secrets from Vault according to best practices and your organization’s security policy.
  • A detailed audit log provides a record of who accessed sensitive data and when, and what actions were taken for enhanced tracking.
Back to top

How to Use Puppet + Vault Secrets Management

An illustration of Puppet and Vault integration.

The high-level steps of how Puppet and HashiCorp Vault interacts are listed below:

  1. The Puppet agent starts an agent run and communicates with the Puppet server to get the catalog data.
  2. The Puppet agent authenticates to Vault to get the secrets data via a deferred function utilizing the Vault lookup plugin.
  3. The Vault lookup plugin authenticates to Vault using the TLS auth method by presenting the Puppet agent SSL certificate.
  4. Vault validates the Puppet agent SSL certificate by checking that the certificate has been signed by the Puppet Server CA and has not been revoked.

Managing systems at scale and ensuring secrets are stored securely can be difficult for any organization. Puppet has a history of helping some of the largest, most complex Global 5000 companies achieve cybersecurity resilience and success with DevOps.

If you're looking for where to start or how to scale your current practices, reach out to us to see how Puppet Professional Services can help your organization. And learn more about Puppet and HashiCorp Vault integration.

Not using Puppet yet? Get started with your free trial today.


Learn More

Back to top